Appl. Nos. 09/694,416, 90/005,776 & 90/005,733 

Amdt. dated February 15, 2007 

Reply to Office Action of August 17, 2006 

Amendments to the Specification Already Entered: 

Replace the paragraph beginning at column (hereafter "col. ") 1, line 4 with 
the following: 

This application claims the benefit of U.S. Provisional Application 
No. 60/033,271 for PUBLIC KEY CRYTOGRAPHIC APPARATUS AND 
METHOD, filed Dec. 9, 1996, naming as inventors, Thomas [Colins] Collins. 
Dale Hopkins, Susan Langford and [Michale] Michael Sabtn, the [discolsure] 
disclosure of which is incorporated by reference. 

Replace the paragraph beginning at col. 1, line 64 with the following: 
The RSA scheme capitalizes on the relative ease of creating a composite 
number from the product of two prime numbers whereas the attempt to factor 
the composite number into its constituent primes is difficult. The RSA scheme 
uses a public key E comprising a pair of positive integers n and e, where n is a 
composite number of the form 
n = pq 

where p and q are different prime numbers, and e is a number relatively prime 
to (p-1) and (q-1); that is, e is relatively prime to (p-1) or (q-1) if e has no 
factors in common with either of them. Importantly, the sender has access to n 
and e, but not to p and q. The message M is a number representative of a 
message to be transmitted wherein 
0<M <n-^, 

The sender enciphers M to create ciphertext C by computing the exponential 
[C = M^ (mod n)] C ^ (mod n) . 

Replace the paragraph beginning at col. 2, line 19 with the following: 

The recipient of the ciphertext C retrieves the message M using a (private) 

decoding key D, comprising a pair of positive integers d and n, employing the 

relation 

[ M = (mod n)] A// = C^(modn) 
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As used in (4), above, d is a multiplicative inverse of 
e(mod(lcm((p-l)(c/-l)))) 

so that 

[ e • of = 1 (mod(lcm((p - 1), {q - 1))))] e ■ d ^ 1 (nnod(lcm((p - 1). jq - 1)))) 

where lcm((p-1), (q-1)) is the least common multiple of numbers p-1 and q-1. 
Most commercial implementations of RSA employ a different, although 
equivalent, relationship for obtaining d: 

[d-e-'mod(p-l) (q - 1) ] c/ ^ e mod((p - 1) • (q - 1)) . 
This alternate relationship simplifies computer processing. 

Replace the paragraph beginning at col. 3, line 23 with the following: 

It is still another object of this invention to provide a system and method for 

implementing an RSA scheme in which the [components] factors of n do not 

increase in length as n increases in length. 

Replace the paragraph beginning at col. 3, line 27 with the following: 
It is still another object to provide a system and method for utilizing multiple 
(more than two), distinct prime number [components] factors to create n. 

Replace the paragraph beginning at col. 3, line 36 with the following: 
The present invention discloses a method and apparatus for increasing the 
computational speed of RSA and related public key schemes by focusing on a 
neglected area of computation inefficiency. Instead of n=p q, as is universal in 
the prior art, the present invention discloses a method and apparatus wherein n 
is developed from three or more distinct random prime numbers; i.e., n=pi P2-. . 
. Pk, where k is an integer greater than 2 and pi, p2, . . . Pk are sufficiently large 
distinct random primes. Preferably, "sufficiently large primes" are prime 
numbers that are numbers approximately 150 digits long or larger. The 
advantages of the invention over the prior art should be immediately apparent to 
those skilled in this art. If, as in the prior art, p and q are each on the order of. 
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say, 150 digits long, then n will be on the order of 300 digits long. However, 
three primes pi, p2, and pa employed in accordance with the present invention 
can each be on the order of 100 digits long and still result in n being 300 digits 
long. Finding and verifying 3 distinct primes, each 100 digits long, requires 
significantly fewer computational cycles than finding and verifying 2 primes each 
150 digits long. 

Replace the paragraph beginning at col. 3, line 56 with the following: 
The commercial need for longer and longer primes shows no evidence of 
slowing; already there are projected requirements for n of about 600 digits long 
to forestall incremental improvements in factoring techniques and the ever faster 
computers available to break ciphertext. The invention, allowing 4 primes each 
about 150 digits long to obtain a 600 digit n, instead of two primes about [350] 
300 digits long, results in a marked improvement in computer performance. For, 
not only are primes that are 150 digits in size easier to find and verify than ones 
on the order of [350] 300 digits, but by applying techniques the inventors derive 
from the Chinese Remainder Theorem (CRT), public key cryptography 
calculations for encryption and decryption are completed much faster— even if 
performed serially on a single processor system. However, the inventors* 
techniques are particularly adapted to [be] advantageously apply [enable] RSA 
public key crvptographic operations to parallel computer processing. 

Replace the paragraph beginning at col. 4, line 6 with the following: 
The present invention is capable of [using] extending the RSA scheme to 
perform encryption and decryption operation using a large (many digit) n much 
faster than heretofore possible. Other advantages of the invention include its 
employment for decryption without the need to revise the RSA public key 
encryption transformation scheme currently in use on thousands of large and 
small computers. 
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Replace the paragraph beginning at col. 4, line 13 with the following: 
A key assumption of the present invention is that n, composed of 3 or more 
sufficiently large distinct prime numbers, is no easier (or not very much easier) 
to factor than the prior art, two prime number n. The assumption is based on 
the observation that there is no indication in the prior art literature that it is 
"easy" to factor a product consisting of more than two sufficiently large, distinct 
prime numbers. This assumption may be justified given the continued effort 
(and failure) among experts to find a way "easily" to break large [component] 
composite numbers into their large prime factors. This assumption is simitar, in 
the inventors' view, to the assumption underlying the entire field of public key 
cryptography that factoring composite numbers made up of two distinct primes 
is not "easy." That is, the entire field of public key cryptography is based not on 
mathematical proof, but on the assumption that the empirical evidence of failed 
sustained efforts to find a way systematically to solve NP problems in 
polynomial time indicates that these problems truly are "difficult." 

Replace the paragraph beginning at col. 4, line 32 with the following: 
The invention is preferably implemented in a system that employs parallel 
operations to perform the encryption, decryption operations required by the RSA 
scheme. Thus, there is also disclosed a cryptosystem that includes a central 
processor unit (CPU) coupled to a number of exponentiator elements. The 
exponentiator elements are special purpose arithmetic units designed and 
structured to be provided message data M, an encryption key e, and a number n 
(where [n=pi*p2* • • • P^] n=P i ^ P7-. . . -Ok , k being greater than 2) and return 
ciphertext C according to the relationship, 
[C = /W^(mod(A?))] C = M^{modn) . 
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Replace the paragraph beginning at col, 4, line 45 with the following: 
Alternatively, the exponentiator elements may be provided the ciphertext C, 
a decryption (private) key d and n to return M according to the relationship, 
[ M = C ^ (mod (n )) 1 M ^ C ^ (mod n) . 

Replace the paragraph beginning at coL 4, line 50 with the following: 
According to this decrvption aspect of the invention, the CPU receives a 
task, such as the requirement to decrypt [cyphertext] ciphertext data C. The 
CPU will also be provided, or have available, a [public] private key [e] d and n, 
and the factors of n (pi, P2, . . . Pk). The CPU breaks the [encryption] decrvption 
task down into a number of sub-tasks, and delivers the sub-tasks to the 
exponentiator elements. [When the] The results of the sub-tasks are returned 
by the exponentiator elements to the CPU which [will], using a form of the CRT, 
combines the results to obtain the message data M. An encryption task may be 
performed essentially in the same manner by the CPU and its use of the 
exponentiator elements. However, usually the factors of n are not available to 
the sender (encryptor), only the public key, e and n. so that no sub-tasks are 
created. 

Before the paragraph beginning at col. 5, line 52, insert the following 
paragraph: 

Alternatively, a message data M can be encoded with the private key to a 
signed message data using a relationship of the form 
=/W^(modn)^ 

The message data M can be reproduce from the signed message data by 
decoding the signed data with the public key, using a relationship of the form 

M^/W/(modn), 
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Replace the paragraph beginning at col, 5, line 30 with the following: 
According to the present invention, the public key portion e is picked. Then, 

three or more random large, distinct prime numbers, pi, p2, . . . , Pk and are 

developed and checked to ensure that each (pr-1 ) is relatively prime to e. 

Preferably, the prime numbers are of equal length. Then, the product [n=pi, p2, 

. . . , P/c] n=pi p ?- . . . Pjr . is computed. 

Replace the paragraph beginning at col. 5, line 36 with the following: 
Finally, the decryption [key] exponent , d, is established by the relationship: 
[d = e-' mod((p, -1)(p, -2)...(p, -1))] 
d = e~^ mod((Pi -1) (P2 -1) ■■ (P/f -D) . or equivalentiv 
d^e-' mod(lcm((p, -I^P^ -(p. 

Replace the paragraph beginning at col. 5, line 41 with the following: 
The message data, M is encrypted to ciphertext C using the relationship of 
(3), above, i.e., 

[C = mod n] C ^A//^(modn) . 

Replace the paragraph beginning at col. 5, line 46 with the following: 
To decrypt the ciphertext, C, the relationship of [(3)] (4), above, is used: 
[M = C^modn] M = C^(modn) 
where n and d are those values identified above. 

Replace the paragraph beginning at col. 5, line 52 with the following: 
Using the present invention involving three primes to develop the product n, 
RSA encryption and decryption time can be substantially less than an RSA 
scheme using two primes by dividing the encryption or decryption task into sub- 
tasks, one sub-task for each distinct prime. (However, breaking the encryption 
or decryption into subtasks requires knowledge of the factors of n. This 
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knowledge is not usually available to anyone except the owner of the key, so 
the encryption process can be accelerated only in special cases, such as 
encryption for local storage. A system encrypting data for another user 
performs the encryption process according to (3), independent of the number of 
factors of n. Decryption, on the other hand, is performed by the owner of a key, 
so the factors of n are generally known and can be used to accelerate the 
process.) For example, assume that three distinct primes, pi, P2. and pa, are 
used to develop the product n. Thus, decryption of the ciphertext, C, using the 
relationship 

[ M ^ (mod n) ] M ^ (mod n) 
is used to develop the decryption sub-tasks: 

[ M, = C,"^ mod p, ] M, ^C/^(mQdp,) 

[M^ =C/^ mod P2 ] M2 ^ ^2""' (^od ) 
[M,=C,'^ modp3] M3^C3^-(modp3) 

where 

[C^ =C mod Pi;]Ci ^C(modpJ; 



[C3 


= C mod P2 ;] C2 = 


C (mod P2); 




[C3 


= Cmodp3;]C3 = 


C(mod P3); 






= dmod{p^ -^)]d^ 


= cy(mod(pi - 


1)); 


[d. 


- dnnod(p2 - ^)]d. 


2 = d(mod(p2 


-1)); and 




= dnnod(p3 -l)]d. 


3 = £y(mod(p3 


-1)). 



Replace the paragraph beginning at col. 6, line 24 with the following: 
The results of each sub-task, Mi, M2, and M3 can be combined to produce 
the plaintext, M, by a number of techniques. However, it is found that they can 
most expeditiously be combined by a form of the Chinese Remainder Theorem 
(CRT) using, preferably, a recursive scheme. Generally, the plaintext M is 
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obtained from the combination of the individual sub-tasks by the following 
relationship: 

^ + - Y,-^ ){wr' (mod p, ))(mod p, )) > (mod n ) 

[ V; = Y._, +[{M,~ y._, ){w-' mod p, )mod p^. ] • w.^ mod n ] 
where [i > 2] 2 < i < k where k is the number of prime factors of n . and 
M = y,y,^C, and w,=Y\p, 

Encryption is performed in much the same manner as that used to obtain the 
plaintext M, provided (as noted above) the factors of n are available. Thus, the 
relationship 

[C = M^(modA?)] C ^ /W^(mod A?) , 
can be broken down into the three sub-tasks, 

[ C, = M,^' mod p, ] C, = M/^ (mod p, )^ 

[C2 = /W2^' modp2]C2 = Mo^'(modjDo) and 
[C3 ^M/' mod P3 ] C3 ^ M/' (mod p^ ) , 

where 

[M^= M (modPi )]M^ =M (modp^ ), 
[M^ = /W (modp2)] A//2 =/W(modp2), 
[ /W3 = /W (mod P3 ) ] /W3 ^ M (mod P3 ) , 
[e^ = emod(p^ = emod(pi -I), 

[62 = emod(p2 -1)1^2 = emod(p2 -I), and 
[63 =emod(p3 -l)] e3 ^emod(p3 -I) , 

Replace the paragraph beginning at col. 6, line 65 with the following: 
In generalized form, the ciphertext C (i.e.. [decrypted] encrypted message 
M) can be obtained by [the same summation] a recursive scheme as identified 
above to obtain the ciphertext C from its contiguous constituent sub-tasks C/, 
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Replace the paragraph beginning a col. 7, line 1 with the following: 
Preferably, the recursive CRT method described above is used to obtain 
either the ciphertext[,] C[,] or the deciphered plaintext (message) M due to its 
speed. However, there may be [occasions] implementations when it is 
beneficial to use a non-recursive technique in which case the following 
relationships are used: 

M = ^A//.(i/i^."\mod Pf))Wi{moclin)[M = X'^'^^'^ modn] 

^=^ /=1 

where 

[w.,=Y{Pj^^, = Y{Pp 



k is the number (3 or more) of distinct primes chosen to develop the product n. 

Replace the paragraph beginning at col, 7, line 17 with the following: 
Thus, for example above (k=3), M is constructed from the returned sub-task 
values Mi, M2, M3 by the relationship 

[M = {w~^ mod p^ )w^ mod/ n -{-M^ (i^2~^ '^od P2 )W2 mod n 

+ /W3 {w^~^ mod P3 )W3 mod n ] /W = M^'^ {w~^ (mod p^ )) • ^^^(mod n) 

+ M2 {w^^ (mod P2 )) • W2 (mod n) + /W3 (^3"^ (mod P3 )) - W3 (mod n) 
where 

^^ = P2P3 > ^2 = P1P3 . and w^ = P1P2 . 

Replace the paragraph beginning at col. 7, line 52 with the following: 
The I/O bus 30 communcatively connects the CPU to a number of 
exponentiator elements [32a, 32b, and 32c] 32a, 32b and 32c . Shown here are 
three exponentiator elements, although as illustrated by the "other" 
exponentiators [32n] 32n, additional exponentiator elements can be added. 
Each exponentiator element is a state machine controlled arithmetic circuit 
structured specifically to implement the relationship described above. Thus, for 
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example, the exponentiator 32a would be provided the values Mi, ei, and pi^[, n] 
to develop Ci. Similarly, the exponentiator circuits 32b and 32c develop C2 and 
C3 from corresponding subtask values M2, e2, [P2]B^, M3, 03, and [P3]E3. 

Replace the paragraph beginning at col. 8, line 1 with the following: 
In order to ensure a secure environment, it is preferable that the 
cryptosystem 10 meet the Federal Information [Protection System] Processing 
Standard (FIPS) 140-1 level 3. Accordingly, the elements that make up the 
CPU 14 would be implemented in a design that will be secure from external 
probing of the circuit. However, information communicated on the I/O bus 30 
between the CPU 14 and the exponentiator circuits 32 (and external memory 
34— if present) is exposed. Consequently, to maintain the security of that 
information, it is first encrypted by the DES unit 24 before it is placed on the I/O 
bus 30 by the CPU 14. The exponentiator circuits 32, as well as the external 
memory 34, will also include similar DES units to decrypt information received 
from the CPU, and later to encrypt information returned to the CPU 14. 

Replace the paragraph beginning at col. 8, line 52 with the following: 
In similar fashion, information is conveyed to or retrieved from the 
exponentiators 32 by the processor 20 by write or read operations at addresses 
within the address range 44. Consequently, writes to the exponentiators 32 will 
use the DES unit 24 to encrypt the information. When that (encrypted) 
information is received by the exponentiators 32, it is decrypted by on-board 
DES units (of each exponentiator 32). The result[s] of the task performed by the 
exponentiator 32 is then encrypted by the exponentiator's on-board DES unit, 
retrieved by the processor 20 in encrypted form and then decrypted by the DES 
unit 24. 

Replace the paragraph beginning at col. 9, line 24 with the following: 
Assume, for the purpose of the remainder of this discussion, that the 
encryption/decryption tasks performed by the cryptosystem 10, using the 
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present invention, employs only three distinct primes, pi, p2, Pa- The processor 
20 will develop the sub tasks identified above, using M, e, pi, P2, Ps* Thus, for 
example, if the exponentiator 32a were assigned the sub-task of developing Ci, 
the processor would develop the values Mi[,] and ei[, and (pi-1)] and deliver 
[units] (write) these values, with [n]pi to the exponentiator 32a. Similar values 
will be developed by the processor 20 for the sub-tasks that will be delivered to 
the exponentiators 32b and 32c. 

Replace the paragraph beginning at col. 10, line 15 with the following: 
Alternatively, the [post] host-system 50 may desire to deliver, via the 
communication medium 60, an encrypted communication to one of the stations 
64. If the communication is to be encrypted by the DES scheme, with the DES 
key encrypted by the RSA scheme, the host system would encrypt the 
communication, forward the DES key to one of the cryptosystems 10 for 
encryption via the RSA scheme. When the encrypted DES key is received back 
from the crypto system 10, the host system can then deliver to one or more of 
the stations 64 the encrypted message. 

Replace the paragraph beginning at col. 10, line 25 with the following: 
Of course, the host system 50 and the stations 64 will be using the RSA 
scheme of public key encryption/decryption. Encrypted communications from 
the stations 64 to the host system 50 require that the stations 64 have access to 
the public key [E (E, N)] E=(e, n) while the host system maintains the private 
key [D (D, N,] D=(d. n) and the constituent primes, pi, P2, • - - , Pk)- Conversely, 
for secure communication from the host system 50 to one or more of the 
stations 64, the host system would retain a public key E' for each station 64, 
while the stations retain the corresponding private keys [El D^. 

Replace the paragraph beginning at col. 10, line 35 with the following: 
Other techniques for encrypting the communication could used. For 
example, the communication could be entirely encrypted by the RSA scheme. If, 
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however, the message to be communicatedrionl is represented by a numerical 
value greater than n-1 , it will need to be broken up into blocks size M where 
[0<A//< A/-11 0</W<n-1 . 
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